October 27, 2022

The Federal Trade Commission is investigating Drizly and its CEO, James Cory Rellas, over allegations that the security breach at Drizly exposed the personal information of about 2.5 million customers.

The FTC alleges that Drizly and Rellas were alerted to problems with the company’s data security protocols after an earlier security incident, when a Drizly employee posted the company’s cloud computing account login information on the software design and hosting platform GitHub in 2018.

As a result of this vulnerability, hackers were able to mine cryptocurrency on Drizly’s servers until the company changed its login information for its cloud computing account. Drizly did not properly address its security issues, despite publicly claiming to have taken adequate security precautions. A hacker broke into an employee account two years later and gained access to Drizly’s company-owned GitHub login information, hacked into the company’s database, and then stole customer information.

According to the FTC, Rellas needs to introduce improved security measures now and in the future wherever he works, and wants the company to eliminate unnecessary data, limit the amount of data it can collect and store, and bind Rellas to specific data security requirements for his role in presiding over illegal business practices.

“Our proposed order against Drizly not only restricts what the company can retain and collect going forward but also ensures the CEO faces consequences for the company’s carelessness,” said Samuel Levine, director of the FTC’s Bureau of Consumer Protection. “CEOs who take shortcuts on security should take note.”

In addition, the company and its CEO must improve security controls, mandate multi-factor authentication, and provide security training to employees. The FTC will decide whether the proposed order is final after a 30-day public comment period.

The sources for this piece include an article in TheRegister.